{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32734", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.627Z", "datePublished": "2026-03-31T00:46:43.317Z", "dateUpdated": "2026-03-31T18:53:24.730Z"}, "containers": {"cna": {"title": "baserCMS: Multiple vulnerabilities in baserCMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx"}, {"name": "https://basercms.net/security/JVN_20837860", "tags": ["x_refsource_MISC"], "url": "https://basercms.net/security/JVN_20837860"}, {"name": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"}], "affected": [{"vendor": "baserproject", "product": "basercms", "versions": [{"version": "< 5.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T00:46:43.317Z"}, "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3."}], "source": {"advisory": "GHSA-677c-xv24-crgx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:30.372289Z", "id": "CVE-2026-32734", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:24.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32734", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:30.372289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:31.428Z"}}], "cna": {"title": "baserCMS: Multiple vulnerabilities in baserCMS", "source": {"advisory": "GHSA-677c-xv24-crgx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "baserproject", "product": "basercms", "versions": [{"status": "affected", "version": "< 5.2.3"}]}], "references": [{"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://basercms.net/security/JVN_20837860", "name": "https://basercms.net/security/JVN_20837860", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "name": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T00:46:43.317Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32734", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:24.730Z", "dateReserved": "2026-03-13T15:02:00.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T00:46:43.317Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*", "matchCriteriaId": "07DEEEF3-0621-431D-8A38-405EDBD0957E", "versionEndExcluding": "5.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3."}, {"lang": "es", "value": "baserCMS es un framework de desarrollo de sitios web. Antes de la versi\u00f3n 5.2.3, baserCMS tiene cross-site scripting basado en DOM en la creaci\u00f3n de etiquetas. Este problema ha sido parcheado en la versi\u00f3n 5.2.3."}], "id": "CVE-2026-32734", "lastModified": "2026-04-01T18:56:51.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T01:16:36.590", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://basercms.net/security/JVN_20837860"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "basercms", "vendor": "baserproject"}], "analysis": {"en": {"generated_at": "2026-04-02T03:18:28.694025+00:00", "value": {"mitigation_remediation": ["Upgrade baserCMS to version 5.2.3 or later", "Ensure that any tag creation input is sanitized or encoded so that script code cannot be injected", "Review site\u2011wide input handling for similar DOM\u2011based vulnerabilities"], "summary": {"action": "Patch", "impact": "DOM-based Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw exists in baserCMS versions prior to 5.2.3, including all releases from 5.0.0 up to 5.2.2. The vulnerable component is part of baserproject\u2019s basercms framework, which is deployed on user\u2011managed web sites.", "description_and_impact": "The vulnerability is a DOM\u2011based cross\u2011site scripting flaw that occurs when a user creates a tag. Improper encoding of user\u2011supplied data allows an attacker to inject arbitrary JavaScript that runs in the browser of any visitor to the affected page. The resulting compromise can include session hijacking, credential theft, or defacement, as the attacker can execute code with the privileges of the victim user. This weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS v3.1 score of 7.1 indicates high severity. The EPSS score of less than 1% suggests that the probability of exploitation is currently low, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Based on the description it is inferred that the attack vector is likely remote, originating from the public tag\u2011creation endpoint where malicious input can be submitted via a web form or API. Attacking therefore requires an attacker to supply the malicious payload, but no authentication is needed if the endpoint is publicly reachable. The resulting damage would be confined to the browsers of users who view the affected tag content."}}}}, "created": "2026-03-31T19:56:37.918011+00:00", "updated": "2026-04-03T09:10:39.874600+00:00", "vendors": ["baserproject", "baserproject$PRODUCT$basercms"]}